Intel Management Engine deep dive - Peter Bosch
36c3 - Security - 12/27/2019
Reverse engineering a system on a chip from sparse documentation and binaries, developing an emulator from it and gathering the knowledge needed to develop a replacement for one of the more controversial binary blobs in the modern PC.
The Intel Management Engine, a secondary computer system embedded
in modern chipsets, has long been considered a security risk
because of its black-box nature and high privileges within the
system. The last few years have seen increasing amounts of
research into the ME and several vulnerabilities have been found.
Although limited details were published about these vulnerabilities,
reproducing exploits has been hard because of the limited information
available on the platform.
The ME firmware is the root of trust for the fTPM, Intel Boot Guard
and several other platform security features, controlling it allows
overriding manufacturer firmware signing, and allows implementing
many background management features.
I have spent most of past year reverse engineering the OS, hardware
and links to the host (main CPU) system. This research has led me
to create custom tools for manipulating firmware images, to write
an emulator for running ME firmware modules under controlled
circumstances and allowed me to replicate an unpublished exploit to
gain code execution.
In this talk I will share the knowledge I have gathered so far, document
my methods and also explain how to go about a similar project.
I also plan to discuss the possibility of an open source replacement
firmware for the Management Engine.
The information in this talk covers ME version 11.x, which is found in 6th and 7th generation chipsets (Skylake/Kabylake era), most of the hardware related information is also relevant for newer chipsets.